What Is AWS Directory Service?

AWS Directory Service provides multiple ways to use Amazon Cloud Directory and Microsoft
Active
Directory with other AWS services. You can choose the directory service with the features
you
need at a cost that fits your budget.

Which to Choose?

The following information will help you decide which AWS Directory Service option
is right for you:

Amazon Cloud Directory is a cloud-native directory that can store
hundreds of millions of application-specific objects with multiple relationships and
schemas.

When to use

Amazon Cloud Directory is a great choice when you need to build application directories
such as device registries, catalogs, social networks, organization structures , and
network
topologies. For more information, see Amazon Cloud Directory.

Amazon Cognito is a user directory that adds sign-up and sign-in to your
mobile app or web application using Amazon Cognito User Pools.

When to use

You can also use Amazon Cognito when you need to create custom registration fields
and store that
metadata in your user directory. This fully managed service scales to support hundreds
of
millions of users. For more information, see Creating and Managing User Pools.

AWS Directory Service for Microsoft Active Directory (Enterprise Edition) is a managed Microsoft Active Directory hosted on
the AWS cloud. It provides much of the functionality offered by Microsoft Active Directory
plus integration with AWS applications. With the additional Active Directory functionality,
you can, for example, easily set up trust relationships with your existing Active
Directory
domains to extend those directories to AWS services.

You can also use Microsoft AD to enable multi-factor authentication by
integrating with your existing RADIUS-based MFA infrastructure to provide an additional
layer
of security when users access AWS applications. For more information, see Multi-Factor Authentication.

When to use

Microsoft AD is your best choice if you have more than 5,000 users and need a trust
relationship set up between an AWS hosted directory and your on-premises directories.
For
more information, see Microsoft Active Directory.

AD Connector is a proxy service for connecting your on-premises
Microsoft Active Directory to the AWS cloud without requiring complex directory
synchronization or the cost and complexity of hosting a federation infrastructure.

AD Connector forwards sign-in requests to your Active Directory domain controllers
for
authentication and provides the ability for applications to query the directory for
data.
After setup, your users can use their existing corporate credentials to log on to
AWS
applications, such as Amazon WorkSpaces, Amazon WorkDocs, or Amazon WorkMail. With
the proper IAM permissions, they can also
access the AWS Management Console and manage AWS resources such as Amazon EC2 instances
or Amazon S3
buckets.

You can also use AD Connector to enable multi-factor authentication by integrating
with
your existing RADIUS-based MFA infrastructure to provide an additional layer of security
when
users access AWS applications. For more information, see Enable Multi-Factor Authentication for AD Connector.

With AD Connector, you continue to manage your Active Directory as usual. For example,
adding new users, adding new groups or updating passwords is all accomplished using
standard
directory administration tools with your on-premises directory. Thus, in addition
to providing
a streamlined experience for your users, AD Connector enables consistent enforcement
of your
existing security policies, such as password expiration, password history, and account
lockouts, whether users are accessing resources on premises or in the AWS cloud.

When to use

AD Connector is your best choice when you want to use your existing on-premises
directory with AWS services. For more information, see Active Directory Connector.

Simple AD is a Microsoft Active Directory–compatible
directory from AWS Directory Service that is powered by Samba 4. Simple AD supports
commonly used Active
Directory features such as user accounts, group memberships, domain-joining Amazon
Elastic Compute Cloud (Amazon EC2)
instances running Linux and Microsoft Windows, Kerberos-based single sign-on (SSO),
and group
policies. This makes it even easier to manage Amazon EC2 instances running Linux and
Windows, and
deploy Windows applications in the AWS cloud.

Many of the applications and tools you use today that require Microsoft Active Directory
support can be used with Simple AD. User accounts in Simple AD can also access AWS
applications, such as Amazon WorkSpaces, Amazon WorkDocs, or Amazon WorkMail. They
can also use AWS Identity and Access Management roles to access the
AWS Management Console and manage AWS resources. Finally, Simple AD provides daily
automated snapshots
to enable point-in-time recovery.

Note that you cannot set up trust relationships between Simple AD and other Active
Directory domains. Other common features not supported today by Simple AD include
DNS
dynamic update, schema extensions, multi-factor authentication, communication over
LDAPS,
PowerShell AD cmdlets, and the transfer of FSMO roles. Please ensure that any required
applications or features installed with Simple AD are fully compatible with Samba
4. For more
information, see https://www.samba.org.

When to use

In most cases, Simple AD is the least expensive option and your best choice if you
have 5,000 or less users and don’t need the more advanced Microsoft Active Directory
features. For more information, see Simple Active Directory.